宜蘭縣教育支援平台 會員登入 會員註冊 我的i教書

參考網站:bash 漏洞檢測與修補 « Jamyy's Weblog

bash 的漏洞造成的危害,請參考:
MyFirefox | Unix亮紅燈!大漏洞「Shellshock」可惡意挾持電腦系統

CentOS 5.x
# cat /etc/redhat-release
CentOS release 5.10 (Final)

目前安裝 bash 套件
# rpm -qa | grep bash
bash-3.2-32.el5_9.1

bash 版本
# bash --version
GNU bash, version 3.2.25(1)-release (i386-redhat-linux-gnu)
Copyright (C) 2005 Free Software Foundation, Inc.

檢查是否有漏洞()
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

更新之後的 bash 套件
# rpm -qa | grep bash
bash-3.2-33.el5.1

bash-3.2-33.el5_10.4

bash 版本
# bash --version
GNU bash, version 3.2.25(1)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2005 Free Software Foundation, Inc.

檢查是否有漏洞()
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

 (閱讀全文)

OpenSSL 的 Heartbleed 漏洞被稱為是有史以來最危險的程式臭蟲,所以有使用 Linux/BSD Server 的系統管理者,都務必要檢測一下自己管理的伺服器是否安全。
底下列幾個網路上搜尋到的相關網站:
OpenSSL Heartbleed 漏洞檢測 @ CentOS 6 « Jamyy's Weblog
修復CentOS 6.5 OpenSSL CVE-2014-0160資安漏洞的方法 | 阿維雜記本 (Wei's Blog)
OpenSSL Heartbleed漏洞危機特別報導 | iThome
Test your server for Heartbleed

Rootkit Hunter 是一套能偵測 Linux /BSD 作業系統是不是有中木馬、惡意程式、或是病毒的程式,也可以偵測系統是不是有一些不安全的設定,系統管理者可以安裝,用來檢測系統是否有問題,做為防護上的參考。
由於 Rootkit Hunter 不是官方套件庫中的套件,所以要利用 epel 套件庫來安裝
1. 安裝 Rootkit Hunter
# yum install rkhunter --enablerepo=epel

2. 更新 Rootkit Hunter
# rkhunter --update
[ Rootkit Hunter version 1.4.0 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]

3. 使用方式 -c 代表 --check --lang 後面是顯示的語系,預設是英文
# rkhunter -c --lang zh.utf8
[ Rootkit Hunter 版本 1.4.0 ]

檢查系統命令...

  執行 '字串' 命令檢查
    檢查 '字串' 命令                                   [ 正常 ]

  執行 '函式庫' 的檢查
    檢查預先載入的變數                              [ 沒發現 ]
    檢查預先載入的檔案                              [ 沒發現 ]
    檢查 LD_LIBRARY_PATH 變數                            [ 沒發現 ]

  執行檔案屬性檢查
    檢查重要的基本程式                              [ !注意! ]
    /sbin/chkconfig                                          [ 正常 ]
    /sbin/depmod                                             [ 正常 ]
    /sbin/fsck                                               [ 正常 ]
    /sbin/fuser                                              [ 正常 ]
    /sbin/ifconfig                                           [ 正常 ]
    /sbin/ifdown                                             [ 正常 ]
    /sbin/ifup                                               [ 正常 ]
    /sbin/init                                               [ 正常 ]
    /sbin/insmod                                             [ 正常 ]

 (閱讀全文)

使用 Apache / MySQL / PHP 來架設網站的人,可能都會有安裝 phpMyAdmin 來管理網頁資料庫,但因為 phpMyAdmin 這一個套件可能存在一些安全性上的漏洞,所以有些攻擊方式,就會搜尋網頁上是否有安裝 phpMyAdmin,並嘗試進行攻擊。
來自網頁上的攻擊
# grep admin /var/log/httpd/error_log
[error] [client 70.87.15.74] File does not exist: /var/www/html/admin
[error] [client 70.87.15.74] File does not exist: /var/www/html/dbadmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/myadmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/mysqladmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/phpadmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/phpmyadmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/php-my-admin
[error] [client 70.87.15.74] File does not exist: /var/www/html/phpmyadmin1
[error] [client 70.87.15.74] File does not exist: /var/www/html/phpmyadmin2

 (閱讀全文)

在 CentOS 6.x 下安裝
# yum install pure-ftpd --enablerepo=rpmforge

啟動 Pure-FTPd FTP Server
# /etc/init.d/pure-ftpd start
Starting pure-ftpd:                                        [  OK  ]

修改 /etc/rsyslog.conf 設定檔,讓 Pure-FTPd FTP Server 設定檔能獨立成一個檔案
# vim /etc/rsyslog.conf
ftp.*                                                /var/log/pureftpd.log

重新啟動 Syslog Server
# /etc/init.d/rsyslog restart

檢查 log 檔是否有產生
# ls -l /var/log/pureftpd.log
-rw-------. 1 root root 0 Jan  1 14:54 /var/log/pureftpd.log

 (閱讀全文)

修改 /etc/proftpd.conf 讓 ProFTPD FTP Server 產生單獨的 log 檔
# vim /etc/proftpd.conf
# 產生 log 檔
SystemLog                       /var/log/proftpd/proftpd.log
TransferLog                     /var/log/proftpd/xferlog

重新啟動 ProFTPD Server
# service proftpd restart
Shutting down proftpd:                                     [  OK  ]
Starting proftpd:                                          [  OK  ]

在 /var/log/proftpd 目錄之下可以看到 Log 檔
# ls -l /var/log/proftpd/proftpd.log
-rw-r-----. 1 root root 129 Jan  1 14:24 /var/log/proftpd/proftpd.log

 (閱讀全文)

修改 vsFTPd FTP Server 設定
# vim /etc/vsftpd/vsftpd.conf
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
xferlog_enable=YES
#
# The name of log file when xferlog_enable=YES and xferlog_std_format=YES
# WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
xferlog_file=/var/log/xferlog
#
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
#xferlog_std_format=YES

重新啟動 vsFTPd FTP Server
# service vsftpd restart

 (閱讀全文)

在 /var/log/secure 中嘗試以 root 帳號登入的錯誤記錄
# grep Failed /var/log/secure | grep -v invalid | tail -5
Jan  1 01:39:54  sshd[6417]: Failed password for root from 192.168.1.1 port 53355 ssh2
Jan  1 01:39:57  sshd[6417]: Failed password for root from 192.168.1.1 port 53355 ssh2
Jan  1 12:18:38  sshd[1556]: Failed password for root from 192.168.1.1 port 54849 ssh2
Jan  1 12:18:41  sshd[1556]: Failed password for root from 192.168.1.1 port 54849 ssh2
Jan  1 12:18:44  sshd[1556]: Failed password for root from 192.168.1.1 port 54849 ssh2

設定方式:
# vim /etc/fail2ban/jail.conf
[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
#           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 3
bantime  = 86400

 (閱讀全文)

Server 安裝完成提供對外的服務,如果沒有設定防火牆,或是限定連線來源,隨時隨地都會受到來自網路上的各種嘗試攻擊,所以必須耤助相關的工具,來協助解決這樣的問題。
底下是來自 SSH 的嘗試攻擊
# grep Failed /var/log/secure
sshd[7935]: Failed password for invalid user cacti from 66.197.211.18 port 39463 ssh2
sshd[7937]: Failed password for invalid user test1 from 66.197.211.18 port 40185 ssh2
sshd[7939]: Failed password for root from 66.197.211.18 port 40773 ssh2
sshd[7966]: Failed password for invalid user git from 66.197.211.18 port 41463 ssh2
sshd[7968]: Failed password for invalid user git from 66.197.211.18 port 42190 ssh2
sshd[7970]: Failed password for mysql from 66.197.211.18 port 42754 ssh2
sshd[7972]: Failed password for mysql from 66.197.211.18 port 43388 ssh2

 (閱讀全文)

在本機上查詢
-ZZ TLS 方式查詢
-x 使用 SASL 認證
ldapsearch -x -ZZ -h localhost -b "ou=Teacher,dc=ldap,dc=tces.ilc.edu.tw" uid=t850008
# extended LDIF
#
# LDAPv3
# base <ou=Teacher,dc=ldap,dc=tces.ilc.edu.tw> with scope subtree
# filter: uid=t850008
# requesting: ALL
#

# t850008, Teacher, ldap.tces.ilc.edu.tw
dn: uid=t850008,ou=Teacher,dc=ldap,dc=tces.ilc.edu.tw
uid: t850008
cn:: 5p6X5pit5ZCN
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword:: e2Nye
loginShell: /bin/bash
uidNumber: 953
gidNumber: 500
homeDirectory: /home/t850008

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

 (閱讀全文)